CVE-2024-13892

Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, are vulnerable to command injection. During the initialization process, a user has to use a mobile app to provide devices with Access Point credentials. This input is not properly sanitized, what allows for command injection. The vendor has not replied to reports, so the patching status remains unknown. Newer firmware versions might be vulnerable as well.

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/en/posts/2025/03/CVE-2024-13892/
https://www.smartwares.eu/en-gb/smartwares-cip-37210at-indoor-wi-fi-camera-cip--37210at

Configurations

No configuration.

History

03 Oct 2025, 09:15

Type	Values Removed	Values Added
Summary		(es) Smartwares cameras CIP-37210AT y C724IP, así como otras que comparten el mismo firmware en versiones hasta la 3.3.0, son vulnerables a la inyección de comandos. Durante el proceso de inicialización, un usuario tiene que usar una aplicación móvil para proporcionar a los dispositivos las credenciales del punto de acceso. Esta entrada no está debidamente depurada, lo que permite la inyección de comandos. El proveedor no ha respondido a los informes, por lo que el estado de la aplicación de parches sigue siendo desconocido. Las versiones de firmware más nuevas también podrían ser vulnerables.
CWE	~~CWE-77~~	CWE-78

06 Mar 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-06 14:15

Updated : 2025-10-03 09:15

NVD link : CVE-2024-13892

Mitre link : CVE-2024-13892

CVE.ORG link : CVE-2024-13892

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-13892", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-06T14:15:35.453", "references": [{"url": "https://cert.pl/en/posts/2025/03/CVE-2024-13892/", "source": "cvd@cert.pl"}, {"url": "https://www.smartwares.eu/en-gb/smartwares-cip-37210at-indoor-wi-fi-camera-cip--37210at", "source": "cvd@cert.pl"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Smartwares cameras\u00a0CIP-37210AT and\u00a0C724IP, as well as others which share the same firmware in versions up to 3.3.0, are vulnerable to command injection. \nDuring the initialization process, a user has to use a mobile app to provide devices with Access Point credentials. This input is not properly sanitized, what allows for command injection.\nThe vendor has not replied to reports, so the patching status remains unknown. Newer firmware versions might be vulnerable as well."}, {"lang": "es", "value": "Smartwares cameras CIP-37210AT y C724IP, as\u00ed como otras que comparten el mismo firmware en versiones hasta la 3.3.0, son vulnerables a la inyecci\u00f3n de comandos. Durante el proceso de inicializaci\u00f3n, un usuario tiene que usar una aplicaci\u00f3n m\u00f3vil para proporcionar a los dispositivos las credenciales del punto de acceso. Esta entrada no est\u00e1 debidamente depurada, lo que permite la inyecci\u00f3n de comandos. El proveedor no ha respondido a los informes, por lo que el estado de la aplicaci\u00f3n de parches sigue siendo desconocido. Las versiones de firmware m\u00e1s nuevas tambi\u00e9n podr\u00edan ser vulnerables."}], "lastModified": "2025-10-03T09:15:32.980", "sourceIdentifier": "cvd@cert.pl"}